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Method of Processing Serial Data, Serial Data Proccwssor and Architecture 

Therefore 

Field of the Invention 

The invention relates generally to processor ai'chiteciures and more specifically co 
5 a flexible architecture for processing of serial data. 

Background of the Invention 

Before the advent of the Internet, coiporaie data networks typically consi.sied of 
dedicated telecommunication-s line<? leased from a public telephone company. Since the 
hardware implementation of the data networks was the exclusive property of the 
1.0 telephone company, a regulated utiiiiy having an absolute monopoly on the medi urn, 
S,; security was not much of a problem; the single provider was contractually obl igated Lo be 

secure, and Lhc lack of access to the switching network from outside made it more or iess 
resistant to external hacking and tampering. 

Today, more and more enterprises are discovering the value of the internet which 
It 15 is cun-ently more widely deployed than any other single computer network in the world 
I ; and is therefore readily available for use by a multinational corporate network. Since it is 

also a consumer-level product, Internet access; can usually be provided at much lower 
cost than the same service provided by dedicated telephone company network. Finally, 
the availability of the Internet to the end user makes it possible for individuals to easily 
20 access the corporate network from home, or other remote locations. 

The Internet however, is run by public companies, using open protocols, and in- 
band routing and control thai is open to scrutiny. This enviromnent makes it a fertile 
proving ground for hackers. Industrial espionage is a lucrative business today, and 
companies that do business on the Internet leave themselves open to aiiack unless they 
25 take precautions. 

Several standards exist today for privacy and strong authentication on rhe Iniernei. 
Privacy is accomplished through encrypiion/dccryptioa. Typically, encryption/decryption 



613 274 7414; Dec-22-00 16:25; Page 11/43 

V 

Palont 



1 



Sent By: Freedman & Associates; 613 274 7414; Dec-22-oo 16:25; page 12/43 

DOC. Na 47*1] US ^^^'^^'^^ 

h performed based on algorithms which arc intended lo allow data transfer over an open 
channel between parlies while maintaining the privacy of the message contents. This is 
accomplished by encrypting the data using an encryption key by the sender and 
decrypting it using a decryption key by the receiver. In symnieLric key cryptography, the 
5 encryption and decryption keys are the same, whereas m public key cryptography the 
encryption and decryption keys arc different. 

Types of Encryption Algorithms 

Encryption algorithms arc typically classified into public-key and. secret key 
algorithms. In secret-key algorithms, keys are secret whereas in public-key algorithms. 
10 one of the keys is known to the general public. Block ciphers are representative of the 
. secret-key cryptosystems in use today. A block cipher takes a block of data, for example 

:3 32-1 28 bits, as input data and produces the same number of bits as output data. The 

J: encryption and decryption operations are performed using the key, having a length 

typically in the range of 56-128 bits. The encryption algorithm is designed such thai ii is 
1. 1 1 5 very difficult to deciypt a message without knowing the exact value of the key. 

Jn addition to block ciphers, Internet security protocols also rely on public-key 
based algorithms. A public key cryptosystem such as the Rivest, Shamir. Adelman (RSA) 
ri; cryptosystem described in U.S. Pat. No. 5,144,667 issued to Pogue and Rjvesi uses two 

I: keys, one of which is secret - private - and the other of which is publicly available. Once 

20 someone publishes a pubHc key, anyone may send that person a secret message encrypted 
using that public key; however, decryption of the message can only be accomplished by 
use of the private key. The advantage of such public-key encryption is private keys arc 
not dia»lributed to all pailies of a conversation beforehand, in contrast, when symmetric 
encryption is used, multiple secret keys are generated, one for each party intended to 
25 receive a message, and each secret key is privately communicated. Attempting lo 
distribute secret keys in a secure fashion results in a similar problem as that faced m 
sending the message using only secret-key enciyption; this is typically referred to as the 
key distribution problem. 
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Key exchange is another application of public-key techniquei>. Tn a key exchange 
protocoU two panics can agree on a secret key even if iheir conversation is intercepted by 
a third party. The Diffie-Hellman exponential key exchange meihod, described in U.S. 
Pat. No. 4,200,770, is an example of such a protocol. 



based on modular cxponentiaiion, which is ihe compulation of mod p. This expression 
means "multiply a by itself x times, divide the answer by p, and take the remainder/' 
This is very computationally expensive to perform for the following reason: In order lo 
perform this operation, many repeated multiplication operation?; -md division operations 

10 are required. Techniques such as Montgomeiy's method, described in "Modular 

Multiplicaiion Without Trial Division," from Mathematics of Computation, Vol. 44, No, 
170 of April 1985, can reduce the number of division operations required but do not 
overcome this overall computational expense. In addition, for present day encryption 
systems the numbers used are very hu-ge (typically 1024 bits or more), so ihe multiply 

15 and divide instructions found in common CPUs cannot be used directly, instead, special 
algorithms that break down the large multiplication operations and division operations 
into operations small enough to be performed on a CPU are used. These algorilhms 
usually have a run time proportional to the square of the number of machine words 
involved. These factors result in multiplication of large numbers being a very slow 

20 operation. For example, a Pentium® processor can perform a 32x32-bit multiply in 10 
clock cycles. A 2048-bit number can be represented in 64 32-bii words. A 2048x2048 bit 
multiply requires 64x64 separate 32x32-bit multipiicalion operations, which takes 40960 
clocks on the Pentium® processor assuming no pipeline processing is performed. An 
exponentiation with a 2048-bit exponent requires up to 4096 multiplication operations if 

25 done in the straightforward fashion, which requires about 167 million clock cycles. If the 
Pentium processor is rimning at 166 MHZ, the entire operation requires roughly one 
second. Of course, the division operations add funher time to the overall computation 
times. Clearly, a comnaon CPU such as a Pentium cannot expect to do key generation and 
exchange at any great rale. 
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Most public-key algorithms, such as RSA and Diffie-Hcllman key exchange, are 
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Because public-key algorithms are so computatiooaJly intensive, ihey are 
typically not used to encrypt entire messages. Instead, private-key ciypto^sysiems ai'e used 
for message transfer. The private key used to encrypt the message, called the session key, 
is chosen at random and encrypted using a public key. The encrypted .session key and the 

5 encrypted message are then sent to the other party. The other parly uses ils private key to 
decrypt the session key, and then the message is dcciypted using the session key. A 
different session key is used for each communication, so thai if security of a session key 
is ever breached, only ihc one message encrypted therewith is accessible. This public- 
key/private-key method is also useful to protect condnuous streams of data within 

10 commimications, such as interactive terminal sessions that do not terminate in normal 
operation or that continue for extended periods of time. Preferably in this case, the 
session key is periodically changed by repeating the key exchange technique. Again, 
frequent changing of the session key limits the amount of data compromised when 
security of the session key is breached. 

15 Prior Art 

Network-level encryption devices, allowing access to corporate networks using a 
software-based solution axe experiencing widespread usage. Products typically perforn) 
encryption entirely in software. The software complexity and processor speed liirdt 
throughput of such a system. Also, session key generation using public-key techniques is 
20 time consuming and is therefore undertaken only when necesjiaiy. Software does have 
advantages such as ease of modification and updating to encryption algorithms 
implemented thereby, 

Odiei available devices use a combination of hardware and software in order lo 
provide encryption. For example, the Entrust Sentinel X,25 encryption product uses a 
25 DES(Daia encryption standard) chip produced by AMD® to perform DES symmetric- 
key encryption. Hardware implementations of the DES algorithm are much faster than 
software implementations, since DES was designed for efficient implementation in 
hardware and dedicated hardware solutions are known to be more efficient. A 
transposition that takes many central processing unit (CPU) instructions on a general 
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puipose processor in execution of software are done using parallel special-purpose 
lookup tables. 

The Sentinel also makes use of a Motorola DSPS6000CS) processor to perform 
public-key operations. When designed, support of single-cycle multiplication by Lhe 
5 digital signal processor (DSP) made this processor significanily faster than regular 
complex instruction set computers (CISC) microprocessors. 

Most hardware encryption devices arc severely limited in the number of 
algorithms that they support. For example, ihe AMD chip used in the Sentinel performs 
only DES. More recent devices from Ili/Fn can perform DES and RC4. However, other 
10 standard algorithm.s such as RC5 sand IDEA require use of another product. 

It would be advantageous to provide a flexible processor architecture for 
supporting encryption and other processing of data within a data stream. 

Object of the Invention 

In order to overcome these and other limitations of the prior art it is an object of 
15 the invention to provide a flexible processor architecture for supporting encryption and 
other processing of data within a data stream. 

Summary of the Invention 

In accordance with the invention there is provided a data proce.ssor for processing 
data comprising an input poit for receiving packets of data; at least a port for 

20 communication with each of a plurality of processors; a first processor in communication 
with the at least a port and for processing received data to provide a header including a 
list of processes to perform on the packet of data and an ordering thereof, the header 
stored within a packet of data to which the header relates; a buffer for storing data 
received from the at least a pon ; a buffer controller for determining based on the header 

25 within a packet a next processor of the plurality of processors to process said data packet 
and for providing said data packet lu ihe ai kast a port for provision to the next processor. 
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In accordance with another embodiment of the invention there is provided a data 
processor for processing data comprising a buffer for storing daia; a plurality of special 
purpose processors, each for processing data from within the buffer; a buffer controller in 
conmiunication with each special purpose processor, for determining a next processor of 
5 the special purpose processors to process the daia, and for providing the data to the 
determined next processor. 

In accordance with yet another embodiment there is provided a data processor for 
processing a packet of data comprising an addressing network; a plurality of special 
10 purpose processors, each for processing data received via the addressing network and for 
providing processed data to the addressing netvi^ork, the addressing network 
j - interconnecting the plurality of special purpose processors; a first pn^essor for providing 

data for use in directing a packet of data through the addi'essing network to a plurality of 
processors one after another in a predetermined order, the dat^ associated with the packet, 
1 5 wherein different packets are provided with different data for directing them differently 
through the addressing network and wherein each special purpose processor is for 
performing a function absent knowledge of the overall high level packet processing 
operation. 

i ' 20 In accordance with another aspect of the invention there is provided a method lor 

processing stream data comprising receiving stream data including packers of data at an 
input port; processing received data packets to provide for each a header incUiding a list 
of processes to perform on the packet and an ordering thereof, ihc header stored within 
the packet to which the header relates; providing the packet with the associated header to 
25 a buffer for storage; for each packet within the buffer: 

determining based on the header within the packet a next processor to process the 
packet; 

providing the packet lo the determined next processor for processing, and 
receiving the processed packet from the processor and storing it in the hunti\ the 
30 stored packet including one of an indication that processing by the next processor 

is complete and that no processing by the next processor is required; and, 
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when no further processes are indicated in a header of a packet, providing the packet lo 
an output port. 

In accordance with yei another aspec! of the invention there is provided an 
5 architecture for processing data comprising: 

a firiit processing element for receiving data and for formatting the data with a I ist 
of proces.ses selected from available processcii and an ordering thereof, the list of 
processes for being performed on the data; 

further processors for pcrfomriing at least one process from the available 
10 processes; and, 

a routing memory for providing data lo processors for performing the processes 
according to the ordering of the listed processes. 



Brief Description of the Drawings 

15 The invention will now be described with reference to the drawings in which like 

reference numerals refer to similar items and in which; 

Fig. 1 is a prior art block diagram of a pipeline processor for processing of data; 

Fig. 2 is a simpiified flow diagram of a method for processing a packet using the 
pipeline processor of Fig, I; 
20 Fig, 3 is, a simplified aichitectural diagram of an embodiment of the present 

invention; 

Fig. 4 is a simplified How diagram of a method according t(i the invention; 
Fig, 5 is a simplified block diagram of a processor architecture according to the 
invention; 

25 Fig. 6 is a data structure diagram for a super packet; 

Fig. 7 is a simplified block diagram of a processor archi lecture according to the 
invention; 

Fig. 8 is a simplified block diagram of a processor architecture according to the 
invention; 
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Figs. 9a-9d is a data siructure diagram for a super packet ihrougbouc a processing 
operation being pcrfonned thereon; and, 

Fig. 10 js a simplified block diagrain of a proce.^iisor array for use wiih an 
ai'chiiectiire according to the invention. 

5 Detailed Description of the Invention 

In data processing it is common that dat^i is received in a fomiai commonly 
referred to as packets, A packet is a small set of data including conrenr daUi and 
classification data. The classification data includes one or more of format data, routing 
data, data type information, data classificaiian, packet grouping data, and so forth. 

10 As each packet is received ii is processed in accordance with its classification data 

in order to act on the data in accordance with requiremenih relating to thai classification 
of data. 

An example of packet classification and processing according ro the prior art is 
now described with reference to Fig. 1 and Fig. 2. In Fig. 1 is shown a simplified block 
^ J 15 diagram of a serial pipeline processor. The processor is shown with a single pipeline path 
J ;v 10 for proces.sing data received serially at a data input port 12. The data is classified in a 

first stage of the pipeline 14. The classified data is then routed to an appropriate next 
;.: pipeline stage through address lines 16. Examples of subsequent pipeline stages include 

cipher processing, routing processors, etc. 

20 Referring to Fig. 2, a simplified flow diagram of a method of packet processing 

for a packet received at input port 12 is shown. The packet is received. It is classified lo 
determine a packet format. Here, the format is encrypted so the enciypted packet data is 
provided to a cipher processor for decryption. Once decrypted, the plain text is stored in a 
data buffer from which it is transferred to a destination process such as a communication 

25 port of a personal computer. 

Though the packet processor of Figs, 1 and 2 is efficient and makes use of pai-allel 
hai'dware based processors that are typically optimised for performing a specific task, the 
processor architecture is extremely inflexible. Each pipeline stage requires knowledge of 
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all immediately subsequent pipeline stages; in order to direct partially proce^i^ed packeL.s, 
Also, some pipeline stages are fully utilised while oihers are under utilised. Tha.s, 
efficiency is coTnpromised. Finally, each packet foliow.s a same path with sonae .simple 
swirching to ensure that packets are not processed when there is no need to do so. 

5 Referring to Fig. 3, a simplified architectural diagram of an embodiment of litc 

present invention is shown. Here a data buffer 30 shown disposed central lo a packet 
processor. A master processor acts to format each packet in order lo inseit a header 
therein indicative of procesi>es required for processing that packet. The master processor 
is programmable and understands the processing of packets at u high level. Once the 

10 packet is reformatted, ii is retunied to the data buffer from which ii is routed to a 

processing element for performing the first listed funcdon. For example, in tlie example 
of Fig. 2, the first function is detemining a formal of the packet. The packet format is 
determined and for each determined format a number of possible functions may be added 
or removed from the list within the header. For example, an encrypted packet may have 

15 the function cipher added to it along with some form of key idenlilier. The key ideniiller 
and the packet is then provided to a cipher proce.s.sor trom the buffer. In the cipher 
processor the packet is decrypted and the decrypted packet is returned to the buffer. I'he 
buffer continues to provide the packet to processors as long as further functions remain 
within the header. When the header is empty, the packet is transferred to an ouLpui purl 

20 for storage, for example in a received data buffer. Alternatively, a last function indicates 
the provision of the data to a data output port. 

Because of the central data buffer of Fig. 3, the number and type of processors is 
easily varied, upgraded, expanded and so forth. Each time a new function is supported, 
the master processor is reprogrammcd to know of the new function and appropriate 
25 packets for which to list the process. 

Advantageously, only the master processor inserts functions within a header. As 
such, only the master processor needs to capture data relating to packet processing <ind 
only the master processor requires reprogramming when the processing method or 
capabilities arc changed. 
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Referring lo fig, 4, a simplified flow diagram of a method according to the 
invention is shown. Here, a packet is received. The master processor insem a header 
indicative of classificaiion, cipher processing, combining packets, and providing the 
combined data to the data output port. The buffer (hen receives the formarted packet and 
5 provides it to a ciassification processor tliat strips oui classification data within Ihe packet 
and replaces it with a known classification code. The packet is then returned to the buffer. 
The returned packet has the classification step removed ihcrcfrom either by removing the 
function from the header or by indicating the function as completed. The classified packet 
is then provided to a processor for ciphering. The cipher processor decrypts the packet 
10 data and returns the clear text packer to the buffer. The clear text packet is now provided 
to a combining processor That detects the packet classification information to determine if 
it is pari of a segmented larger packet and combines it with those segments of the lai-ger 
packet thai are akeady in the combiner. When the larger packet is complete, it is returned 
to the buffer and then provided to the output data port, 

15 As is clear to one of skill in the art, the use of such an ai'chitecture gi'catly 

facilitates updating the processor capabilities, programming, and power. For example, a 
new cipher processor is easily added. The new resource is idenlifieQ lo the buffer as a 
cipher processor to allow the buffer to send packets having a cipher function required to 
the new processor. Similarly, a classification processor can be upgiuded or changed 

20 without effecting the processor. 

Also, the core processor according to the inventive architecture comprises a buffer 
and a master processor. The master processor is programmable to allow for upgradable 
and flexible packet processing. The buffer is capable of recognising and interfacing with 
a plurality of different dedicated processors. Of course, when desired, the dedicated 
25 processors are included within a same integrated processor. 

Referring to Fig. 5, a simphfied archirectural diagram of a processor according \o 
Che invention is shown. A super packet buffer 51 is in communication with a plurality of 
data elements 52, The data elements 52 are for providing data to the super packet buffer 
5 1 and for receiving data from the super packet buffer 5 1 , Though ihc data element D 1 is 
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shown for providing and the data element D2 is shown 
optionally suppon bidirectional communication with 
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itceiving data, data elemenis 32 
super packet buffer (SPB) 5K 



the 

The SPB is ^ho in communication with a plurality of processors. Processors 53 
provide data processing Including dcteimining further processing required for a dm-d 
packet, Procei>.sors 54 iure refeacd to as client proce^ss(>^^i i^nd perform daia processing on 
packets that are received. Typically client processors 5^^ are dedicated to a .single form ol" 
processing that is self contained and can be performed son a packet in isolation. Cipher 
processing is one such pr(x;ess. Thus, a DES cncryptioK engine typically forms a clieni 
processor for receiving data, for encrypting the data, aiid for returning the encrypted data 
to the SPB. 

Each communication port is typically controlleii by a driver process in execurior^ 
within the SPB 51. For example, a driver process for a- DES encryption engine would 
typically strip the header from a packet and provide thi^ data to he encrj^ted by the 
processor along with key data in the form of a key or cjf a key ideniificr. The DES 
processor then processes the data and returns Ihe processed data to the driver process 
which reinserts the header data, indicates the DES processing as completed, and passes 
the packet back to the SPB 5 L The use of driver proc^jsscs allows for use of non- 
proprietary processing elements - legacy processors - 1 
The use of driver processes also allows for system ma \ 



Referring to Fig. 6, an exemplary super packet: 
packet comprises a header, an ordered list of operatioris 
key data, and packet data. The licader provides data u? 
and for tracking of same. Optionally, the header also i 
use in monitoring performance, debugging, security 



u?ed 



log is useful. 



The control entries include a list of processes 
within the data buffer. These processes are generally 
the super packet buffer routes ihe super packet to any 
for performing said function. Some functions require 



for performing dedicated tasks. 
:Jltainabilxty and upgradabilily. 



data structure is shown. The ^uper 
s, daUi relating to the operations, 

for identifying the super packet 
liciudcs auditing information for 
, and other functions wherein a 



a\[dits 



functions - required for the data 
;cd in a generic fashion such that 
f a number of available processors 
data, which is stored either 
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>f which of encrypt/deciypt lo 
and rypicaliy ideruifies keys by 



example, a cipher processor may require an indication 
perform. Key data is sioned in a suteequenr ser of field 

identifier instead of storing within the aclual super pacjcets. Finally, the data to be 
processed is included within the super packet. 



Referring to Fig. 7, an architecxural diagram of aiaother embodiment of (he 
invention is shown. Here, a resource manager 71 main :ains information on resource 
availability and so forth while agents 72 in execution vnthin the super packet buffer 5 1 
operate lo provide super packets to processors 75 in aci^ordancc with their headers. Client 
]0 specific agents 73 act as pari of the driver process and ^Dinmunicatc with the agents 72 to 
determine data that will be suitably processed by the c' 
determined, the remainder of the driver process 74 actji to foiTOut the data for receipl by 
the client 75. 

Referring to Fig. K, a simplified architectural d .agram of a processor for use in 
1 5 supporting Internet protocol security (IPSEC) processiig is shown. The process of data 
reaching a processor having an architecture according to the invention is shown in Figs. 
9a-9d. The data element 81 performs ingress processir g of data prior to providing the 
data in the form of a super packet of data to the super i)ackei buffer 5h The iiuper packet 
of data includes a header indicative of a jingle process - that of the server proces.sor 82 
20 for processing the data packet. The super packet is the iprovided to the IPSEC server 82 
where it is converted into a super packet more indicativ^e of correct processing. The 
IPSEC server 82 is the only processor that has knowledge of the overall process being 
performed on each incoming data packet. All other pn^cessors perfomi their single 
function absent knowledge of how it fits into the global scheme. 

25 The super packet is returned lo the super packtt buffer 51 from The server 



processor 82. Once there, the super packet is provided 
header manipulation. The data within the data buffer i 
information and encapsulated security payload (ESP) header information therein, I'hc 
process, control 2, is then marked as perfonncd and the super packet is returned to the 



CO the client processor 83 for IP 
i shown (Fig, yb) with TP header 
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super packet buffer 51 . The next process is that procesii indicated by control 3, 3DES 
Encryption. Client 84 provides this functionality. The super packet ii> provided lo client 
84 where, as shown in Fig. 9b encryption is performed and the function control 3 is 
marked as having been performed. The next function to be performed is HMAC96-MD5 
Authentication, Client 85 performs this function. The super packet is provided to the 
client 85 where, as shown in Fig. 9c» Ha:ihed Message |^^uthcnlication Code (UMAC) is 
added to the data wiihin the buffer. The super packet is returned to the super packet 
buffer 51 once the function is marked as having been gerformed. 



The next function is control 5, which requires PSEC Header Manipulation. The 
10 client 83 is capable of performing this function as we){ as the function of control 2. The 
super packet is provided to the client 83 where the dam is reformatted as shown in Fig. 
9c. Once again the function control 5 is mttrked as haying been peifonned and the super 
packet is returned to the super packet buffer. Finally, tiie remaining funcdon relaieK lo 
egress processing performed by data elemeni 86 and tli e results of which arc shown in 
15 Fig. 9d. The super packet is stripped of its header leay ng a processed packet of data for 
communicadon. Optionally, the stripped header information is provided to the server for 
use in real-time monitoring of pcrtbraiance and logging of performance data. 



As is evident to those of skill in the art, only the server is provided with data 
relating to the overall process. Replacement of the cipm proce.ssor client 84 with a new 

20 version of the cipher processor has virtually no inipacj on the overall architecture or the 
system. Though the server 82 needs lo know steps for carrying out the process, these 
steps are high level and the sei-vcr 82 need not understand anything relating to IP 
Header manipulation or HMAC. Adv^mtagcousiy, instead of replacing a client processor 
a new client processor is simply added to the system u> provide more than one client 

25 processor for a single cask. 



Though the archiiecture is described with refeijence 
entire processor architecture may be implemented wit^iin 
Preferably, the integrated circuit provides an interface 
futiure dedicated modules and application specific datsi 



to a modular emhodin^cnt, the 
a single integrated circuit, 
for external processors to allow for 
processing client modules. 
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Of course, when a single group of processing functions is performed sufficientJy 
many times Ib a same order, it is preferable to group those functions into a single client 
processor. For example, encryption is a plurality of different functions that are grouped. 
When an amount of IPSEC packet processing rcquiredis equivalent to the entire 
throughput of each client processor required, an IPSEC packet procch^or including the 
same functional elements arranged ia a pipeline is prefpably used as a client processor lo 
the super packet buffer. In this way, much of die SPB overhead is eliininaled. Of course, 
the flexibility lo use the client processors for other progressing operations is lost so, when 
resource usage is less than a maximum resource usage,; i 
more flexible iurchitcctui^. 
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Alternatively, a single pipeline processor is provided 
ports for providing access to the complete pipeline or 
forming part of the pipeline processor. Of course, suchj 
complexity to the pipeline processor and therefore is 
separate client processors or a dedicated function pi 



it is often preferable lo niainrain a 



with a plurality of input 
a single, underutilised, processor 
an embodiment adds significant 
considered less desirable than using 
e processor as described above. 



In accordance with another embodiment of lhe;invcntion as shown in Fig, iO, the 
server processor stores within the header switching inf :)rmation for use in switching the 
super packet within an an*ay of processors. A packet isi i 
to a first processor for processing. The header and the 



directed fro the server processor 
Mckei data are separated so as to 



20 not affeci processing of the data. When the data is proc essed, header data is provided lo 



an output addressing switch and the super packet daia ; 
pipelined fashion to a subsequent processing element, 
flexibility, expandability, functionality and so forth wHilc adding tot he overall hardware 
complexity. That said, the performance of such an embodiment is likely superior lo ihc 
more flexible architecture described above and in man^^ applicationii the lack of flexibility 
and so forth is not considered a great disadvantage. 



Alternatively, since the super packet includes 
processes, it is possible U) encode therein executable 
As such a general purpose processor is provided and 



s automatically routed in a pseudo 
Such an embodiment reduces 



data relating to individual 
cpde for execution on the processor, 
v^hen functions outside Ihe scope of 
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the special purpose client processors is required, ex^cui 
provided to the general purpose processor for procefsxr 
only a pointer to the code is provided to reduce the 



Dec-22-oo 1b:32; 



able code and the super packet is 
g thereof. Fuiiher alTemaiivdy, 
(bvei-^ll super packet si/e. 



In accordance with the diagrams, the invention 
encryption functions wherein secret keys arc guarded 
enhance overall system, security. The super packet bluf^r 
modules as necessary to perform processing ihereof 
stored within those modules. 



w 



is particularly well suited to 
single function modules to 
: directs packets to different 
ithout compromising .secret keys 



Numerous other embodinients inay be en vis 
10 or scope of the invention. 



iBgdd without departing from the spirit 
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